Physical Safeguard Standard, Workstation Security-What to Do and How to Do It

In our series on the HIPAA Administrative Simplification Security Rule, this is the third Physical Safeguard Standard, Workstation Security. The implementation specification for this standard is defined by the standard title, and is required. As we have noted in earlier postings on HIPAA.com, business associates of covered entities will be required to comply with the Security Rule safeguard standards, beginning February 17, 2010. This requirement is one of the HITECH Act provisions of the American Recovery and Reinvestment Act (ARRA), signed by President Obama on February 17, 2009.

What to Do

A covered entity must implement physical safeguards for all workstations that access electronic protected health information to restrict access to authorized users.

How to Do It

A covered entity is required to secure workstations in such a manner that access is restricted to authorized users. The solution is “dependent on the [covered] entity’s risk analysis and risk management process,” and may involve controlled access to the workstation or controls on the workstation that restrict access of unauthorized users. [68 Federal Register 8354] As with many of the implementation specifications for the Security Rule standards, the solution depends on the outcomes of the covered entity’s risk analysis.

An example of an appropriate workstation security requirement would be a policy that workforce members log off before leaving electronic media unattended. Another example, for a workstation in a controlled access environment, would be a policy requiring automatic logoff after a defined period of inactivity, say, ten minutes or less. A final example would be to control access to the Internet while working with electronic protected health information, in an effort to minimize unauthorized access by an outsider to such information. This is especially important as mobile devices such as personal data assistants (PDAs) with browser access proliferate in the healthcare community.

Finally, a covered entity also must pay particular attention to electronic media devices used by receptionists. This pertains primarily to healthcare providers, but also may pertain to any receptionist in a covered entity that handles overflow processing of healthcare matters involving electronic protected health information. A receptionist position is a highly vulnerable point of unauthorized access and should be addressed specifically in a covered entity’s risk analysis. Any workstation, in a controlled access environment or not, should be shielded physically from view by passersby who are not authorized to have access to electronic protected health information.

A covered entity’s Security Official should establish and implement policies and procedures to protect workstations and restrict access to authorized users.